Earth Freybug, a cyber threat group with ties to China, has recently been observed utilizing a new malware dubbed UNAPIMON, designed to operate covertly. This group, active since at least 2012, has been associated with espionage and financially motivated activities, targeting organizations across various sectors and countries. UNAPIMON, deployed by Earth Freybug, is part of a sophisticated cyber campaign characterized by the group’s reliance on living-off-the-land binaries (LOLBins) and custom malware to achieve its objectives. Moreover, this malware leverages techniques such as DLL hijacking and API unhooking, demonstrating the group’s evolving tactics.
Trend Micro researchers have identified Earth Freybug as a subset within APT41, a China-linked cyber espionage group known by various aliases. The group’s activities share similarities with Operation CuckooBees, a previously disclosed campaign targeting technology and manufacturing companies in multiple regions. The attack chain begins with the use of legitimate executables like “vmtoolsd.exe” to initiate malicious tasks, highlighting the group’s adeptness at exploiting vulnerabilities in widely-used software.
The deployment of UNAPIMON by Earth Freybug marks a significant evolution in their cyber operations, showcasing the group’s ability to adapt and innovate over time. Despite the malware’s simplicity, it effectively evades detection in sandbox environments by leveraging open-source Microsoft libraries and unhooking critical API functions. This underscores the importance of vigilance and advanced cybersecurity measures in detecting and mitigating evolving threats posed by sophisticated threat actors like Earth Freybug.
